प्लेटफ़ॉर्म
php
घटक
amazing-little-poll
में ठीक किया गया
1.3.1
1.4.1
CVE-2023-6768 represents a critical authentication bypass vulnerability affecting Amazing Little Poll versions 1.3 and 1.4. This flaw allows unauthorized users to gain access to the administrative panel without providing any credentials, effectively bypassing the intended security measures. The vulnerability is triggered by manipulating the lp_admin.php?adminstep= parameter. A patch is available in version 1.4.1.
The impact of this vulnerability is severe. An attacker can leverage it to completely compromise the poll system's administrative interface. This grants them full control over the poll's configuration, data, and potentially the underlying server if the poll has elevated privileges. Attackers could modify poll questions, results, user accounts, and even inject malicious code. The blast radius extends to all users who interact with the poll, as their data and privacy are at risk. This vulnerability is particularly concerning given the potential for widespread use of the plugin in various online platforms.
CVE-2023-6768 was publicly disclosed on December 20, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. No public proof-of-concept code has been released, but the vulnerability is relatively straightforward to exploit. It is currently not listed on the CISA KEV catalog.
Websites and applications utilizing the Amazing Little Poll plugin, particularly those running versions 1.3 and 1.4, are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over individual plugin configurations. Sites with weak access controls or outdated security practices are also at increased risk.
• php / web:
curl -I 'http://your-website.com/lp_admin.php?adminstep='If the response code is 200, it indicates the vulnerability may be present. • generic web:
grep -r 'lp_admin.php?adminstep=' /var/log/apache2/access.logLook for requests to lp_admin.php?adminstep= without authentication headers.
• php / web:
find /var/www/html -name 'lp_admin.php' -printVerify the file exists and check its permissions to ensure it is not publicly accessible.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (21% शतमक)
CVSS वेक्टर
The primary mitigation is to immediately upgrade Amazing Little Poll to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the lpadmin.php file using your web server's configuration (e.g., .htaccess for Apache). This can be achieved by denying access to the file for all but authorized users. Monitor access logs for suspicious requests targeting lpadmin.php with unusual parameters. After upgrading, confirm the vulnerability is resolved by attempting to access the admin panel without authentication.
एक पैच किए गए संस्करण में अपडेट करें या यदि कोई संस्करण उपलब्ध नहीं है तो प्लगइन को निष्क्रिय कर दें। अनधिकृत पहुंच को रोकने के लिए वेब सर्वर कॉन्फ़िगरेशन (जैसे Apache में .htaccess) के माध्यम से lp_admin.php फ़ाइल तक पहुंच को प्रतिबंधित करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2023-6768 is a critical vulnerability in Amazing Little Poll versions 1.3 and 1.4 that allows unauthenticated users to access the admin panel by manipulating the lp_admin.php?adminstep= parameter.
You are affected if you are using Amazing Little Poll versions 1.3 or 1.4. Upgrade to version 1.4.1 or later to mitigate the risk.
Upgrade Amazing Little Poll to version 1.4.1 or later. As a temporary workaround, restrict access to lp_admin.php using your web server configuration.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the official Amazing Little Poll website or plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।